Major service changes

From OCF Help Wiki
Revision as of 22:15, 27 May 2010 by Jordan (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Systemwide Rebuild - May 2010

Beginning in May 2010, the OCF will be rebuilding most of its services. This is for a variety of reasons: we want to secure some of our core systems, we want to upgrade our user-facing systems, and we want to migrate off of Solaris. This means that a lot of changes will happen on the back-end, but for the most part, these changes should be minimal to our users.

That being said, there are a few things that our users will notice immediately:

  • We will upgrade the Windows lab clients to Windows 7
  • We will be getting new, improved Linux lab client hardware
  • We will be migrating our login servers ( to Debian GNU/kFreeBSD (the Debian userspace on top of a FreeBSD kernel) on x86 platforms

There are some things that will be less visible to users:

  • The webserver will be migrated to FreeBSD
  • MySQL will be upgraded to version 5.1 (we're currently running 4.1 - see the note below from April 2005)
  • We'll be adding tentative FastCGI support to our webserver environment (hello Rails and Django!)

And there are some things that should be more or less invisible to users:

  • Lots of servers will be consolidated to reduce complexity and increase manageability
  • Web directories and home directories will be migrated to a newer, more reliable disk array
  • Mail services (spam filtering, virus scanning, POP, IMAP, etc) will be moved to faster hardware
  • A Windows Server 2008 domain controller will allow for more timely patching of Windows machines and should increase performance

These changes will necessitate a change in our SSH keys. See SSH host keys for our up-to-date list of host keys.

PHP upgrade - March 21st, 2008

The OCF is switching its default PHP interpreter from PHP 4.4 to PHP 5.2, beginning March 21st, 2008. Support for PHP 4 will end on May 12th, 2008, due to the PHP developers' decision to end support for PHP 4. All PHP users should review their web applications for compatibility with PHP 5 as soon as possible. Most widely-used web applications already support PHP 5, so in many cases, no action is needed; in most others, an application upgrade will be sufficient to ensure proper continued functionality. Check with the developer of your PHP web application to see whether or not it needs upgrading to work correctly with PHP 5.

Users who use custom-written PHP applications need to review their code for PHP 5 compatibility; see [1] for information on what's changed between PHP 4 and 5, and [2] and [3] for the (many fewer) differences between PHP 5.0 and 5.2.

Between now and March 21st, you may test your applications with PHP 5 using these instructions. After March 21, users who require more time to review their code may continue to use the PHP 4 interpreter by doing one of the following:

  • Rename your PHP CGI scripts to end with a .php4 extension.
  • If you're treating your PHP scripts as regular CGI scripts, use /opt/ocf/bin/php4 as the path to the PHP interpreter.
  • Place an .htaccess file in the root of your PHP script directory (for example, in public_html) with the following contents:
    AddHandler cgiwrap-php4 .php

This PHP 4 support will NOT work after May 12th.

If you already configure your PHP scripts to use PHP 5 (as per these instructions for instance), they will not be broken by this change. However, after March 21, you should undo your configuration changes so that you are running the OCF default configuration.

Mail server settings - August 1, 2007

The OCF is requiring users who use POP or IMAP to read their OCF email to use TLS- or SSL-secured connections to OCF's mailservers. This change significantly reduces the risk of an attacker hijacking your account by intercepting your password, slightly improves the security of your email, and brings us into compliance with the campus Minimum Security Standards for Networked Devices. Webmail and local mail access are unaffected, but users using POP or IMAP to read their mail will need to reconfigure their mail clients to use secure connections in order to continue using them to read their OCF mail.

See Using secure POP and IMAP for instructions on how to configure your mail client to read your OCF mail.

SSH upgrade - March 15, 2007

The default SSH binary for most users on the OCF's Solaris machines (ssh) has become a symlink to OpenSSH 4.6p1 (openssh), instead of commercial SSH 1.2.33. This change brings SSH protocol version 2 support to the OCF's default SSH client, improving security and compatibility with other machines. The old SSH 1 binary will continue to be available as ssh1, as will the commercial SSH client available as ssh2 (version Most users will not notice the change. However, X forwarding is no longer be enabled by default, for security reasons; pass the -X option to enable it (or better yet, -XC, which enables compression, speeding up your X session).

Users with SSH keys generated for the SSH version 1 client can continue to use them using ssh1 or ssh -1 (OpenSSH), generate new SSH version 2 keys for use with OpenSSH or the commercial SSH client using ssh-keygen (OpenSSH) or ssh-keygen2 (commercial SSH), or convert their existing SSH version 1 key to an SSH version 2 key. See SSH key management for information on creating a new SSH version 2 key or converting your existing SSH version 1 key.

Note that if you have never logged into a host before using SSH2, you may see a message asking you to verify the host's key fingerprint, as if you had never logged into the host before using any version of SSH. You should try to verify this key fingerprint, as always; one way to do this, assuming you've logged into the host in the past via SSH1, is to log in to the host using ssh1 or ssh -1 (OpenSSH) and displaying the fingerprint with something like ssh-keygen -l -f /etc/ssh/

Mail server settings - March 9, 2007

The OCF is requiring users to log in with their username and password in order to send mail through the OCF. This change decreases the likelihood of spam being relayed via the OCF, and brings us into compliance with the campus Minimum Security Standards for Networked Devices. Webmail and local mail access are unaffected, but users sending mail via the OCF from outside the OCF need to reconfigure their mail clients to provide a username and password when sending mail.

Note that SMTP relaying via port 25, the default configuration for most mail clients, has been disabled for the last few months for anti-spam purposes. We apologize for this inconvenience; sending mail via the OCF should work provided you follow the instructions provided.

See Using secure authenticated SMTP for instructions on how to configure your mail client to send mail via the OCF.

SSH host keys change - August 22, 2006

Most OCF machines, including the login servers (apocalypse, conquest) serving OCF.Berkeley.EDU, have been reinstalled. As a result, SSH host keys have changed; see SSH host keys if you'd like to verify the fingerprints. Most SSH clients will complain loudly about this as a security feature (this prevents someone from impersonating an OCF machine), so you will probably need to replace the old host keys in your known hosts database with the new ones; see the documentation for your SSH client for more information on how to do this.

Webserver upgrade - August 6, 2006

The OCF has migrated to a new web server setup on a new machine; this brings much faster server response times. Static content and most web applications should be unaffected; however, there is a possibility that the upgrade will break some web applications. For more information, see Major service changes/August 2006 web server migration.

New disk array in service - October 22, 2005

The move of home and web directories to a new disk array with ~1 terabyte of space was completed. The major user-visible change is that home and web quotas are now consolidated, so users may use their total allocated space as they see fit. Note that the email inbox quota remains separate.

PHP register_globals turn off - August 10, 2005

The default value of the PHP directive register_globals has been changed to OFF. This is a long overdue security change. Some user-written PHP scripts may be affected. Commonly used PHP applications should have been updated to account for this change long ago.

For details about what register_globals is and what changes you may need to make in your PHP code, see this page.

Major MySQL and Perl upgrade - April 2, 2005

The following changes have been made:

  • MySQL has been upgraded to version 4.1.10a (it was previously 3.23.58).
  • Perl has been upgraded to version 5.8.6 (the default version was previously 5.005_03).

These upgrades should improve performance and compatibility with modern applications. Note that some older applications may have compatibility issues with either of these newer versions. For information on technical differences between these software versions, see for example:

Note that you may have to visit release notes for previous versions to see the full history of what has changed between an old version and the current version.

Additional notes

PHP has been rebuilt to use libraries from the new MySQL version, but it should otherwise be unaffected. Our new default Perl installation may not have certain modules built that were in our previous default Perl installation; if this is the case, please contact us with specific details of the problem you have run into, what module you believe is missing, etc.

Telnet and FTP turn off - January 15, 2004

Unsecured telnet and ftp services have been discontinued. Unsecured POP and IMAP mail services will be discontinued at a later date, to be announced. This is because these services send passwords over the network in plain view of any persons who may be monitoring transmissions, allowing them to access your account if they desire. There are secure (encrypting or one-time password) alternatives readily available for the most common platforms.

Note that SafeTP, although believed to be secure, has also been discontinued because it would provide no significant benefit over sftp. Also note that we now support the S/Key one-time-password system as an authentication method for telnet and ftp. S/Key is not a very convenient method of authentication for the average user, but if you wish, you can view a brief introduction and tutorial on S/Key here. You can find a JavaScript-based online S/Key calculator here. Please connect to skey.OCF.Berkeley.EDU for S/Key logins (whether telnet or ftp). Note that our systems are configured to use MD5 hashing. We may consider supporting ftp over SSL if there is sufficient demand for it; let us know if this would be very useful to you.

Replacement for Telnet

Instead of telnet, please use SSH (Secure SHell).

Replacement for FTP

Instead of ftp, please use sftp (SSH File Transfer Protocol).

  • Windows users -- the ssh client mentioned in the preceding section includes an sftp client; please refer to the aforementioned page for details. This client is the one we recommend. However, if this is not satisfactory to you, some alternatives you might consider include WinSCP and FileZilla. In the case of FileZilla, remember to set it to connect using SFTP instead of FTP.
  • MacOS X users -- sftp is available from the Terminal as 'sftp'. Fugu is a free graphical interface to sftp that can be downloaded here.
  • Unix users -- sftp is usually accessible from the command line on Unix or Unix-like systems as 'sftp'. If you have no sftp client installed, you can get it as part of the OpenSSH package. You may find the 'scp' and 'rsync' commands to be useful as well.

If you find it difficult to give up your existing ftp client (perhaps because it's integrated with Dreamweaver or whatever), you may consider trying the "FTP to SFTP bridge" feature of MindTerm SSH. MindTerm is a Java-based program that runs on many different platforms that have a Java runtime (including Windows, Mac, and many Unix-like systems). You will need a Java runtime installed before you can run MindTerm (try double-clicking on the .jar file; if the program runs, you don't need to download a separate Java runtime). Otherwise, try downloading a Java runtime from

The "bridge" feature basically creates a virtual FTP server on your local computer. When you log into this virtual server, the server translates the commands your FTP client gives it to corresponding SFTP commands on our SFTP server. You can either download MindTerm from the MindTerm page, or OCF maintains a local copy in this directory. This guide should give you a good idea of how to set up the bridge; simply replace "" with "", "monir" with your real username, and "/home/fac6/monir/web" with "public_html".

Note to Dreamweaver users: As far as we know, only Dreamweaver MX 2004 provides built-in support for SFTP. For users of earlier versions of Dreamweaver MX or Dreamweaver, if you want to use the built-in FTP client, then the "FTP to SFTP bridge" described above is your best bet.

Personal tools